I created a linux VM with 3 interfaces: a NAT interface for internet access (eth0 with ip 192.168.84.0/24), a Host-only interface for communication with other VMs (eth1 with ip 192.168.10.10) and a VPN interface (tun0 that’s up when connected to a VPN server and with ip 10.182.0.0/16, this may change at every connection into that range).
My goal is to set up all the necessary instructions on how to route only the incoming and outgoing internet traffic from eth1 to go through tun0 and leave internet access to the other applications on the gateway (if necessary). I would like to create something similar to the Whonix Gateway (where connections are routed through TOR from the outside connected VM Workstation) but instead of using TOR I would like to use a generic VPN service, that would be accessed with OpenVPN or Wireguard.
So I thought of some steps to do:
(1) Enable IP forwarding on the Linux virtual machine by editing the /etc/sysctl.conf file and setting net.ipv4.ip_forward = 1
(2) Add a new route for the host-only interface to route all traffic through the VPN interface with the following command:
sudo route add -net 192.168.10.0 netmask 255.255.255.0 gw 10.182.4.2 dev tun0
Here I’m not sure how to manage it if the IP of the tun0 changes. And if this is correct.
(3) Set up iptables rules to redirect all incoming and outgoing traffic from the eth1 interface to the VPN interface, except for traffic coming from the gateway itself with the following commands:
sudo iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o tun0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 192.168.84.131 -o eth0 -j MASQUERADE
(4) Make iptables rules persistent so install the iptables-persistent package by running the command:
sudo apt-get install iptables-persistent
sudo iptables-save > /etc/iptables/rules.v4
(5) Configure the other virtual machine connected to the host-only network to use the Linux virtual machine as its default gateway and DNS server. So set the IP address to a unique address on the same subnet as the host-only network interface of the Linux virtual machine then set the default gateway to the IP address of the host-only network interface of the Linux virtual machine and finally set the DNS server to the IP address of the host-only network interface of the Linux virtual machine.
But something is not working properly and from the other VM connected to the gateway through the host-only network I can’t connect to the internet (when the VPN is connected on the GW).
I’m no expert and I know I’m doing something wrong so can someone help me on simplify and adjust (remove or add instructions) this steps on how to create a linux VM gateway that connect to the internet through a VPN and share this and only this connection with another VM connected through a private network of the 2 VMs (so when the VPN is off the other VM connected to the gateway have no Internet connection).
If all of this make sense Thanks you so much